Overview

It is important to note that the research and subsequent advisory do not introduce a new type of vulnerability or attack technique, but rather a continued weakness in many default configurations of Internet-connected devices. These devices are now actively being exploited in mass-scale attack campaigns against Akamai customers.

The Threat Research Team has observed SSHowDowN Proxy attacks originating from the following types of devices:

Mounting attacks against a multitude of Internet targets and Internet-facing services, such as HTTP, SMTP and Network Scanning

Mounting attacks against internal networks that host these connected devices

Once malicious users access the web administration console, they have been able to compromise the device’s data and, in some cases, fully take over the machine.

“We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” explained Ory Segal, senior director, Threat Research, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Mitigation

Some recommended approaches to mitigation include:

If the device offers access to alter the SSH passwords or keys, change those from the vendor defaults.

If the device offers direct file system access:

Add "AllowTcpForwarding No" into the global sshd_config file.

Add "no-port-forwarding" and "no-X11-forwarding" to the ~/ssh/authorized_ keys file for all users.

If neither option above is available, or if SSH access is not required for normal operation, disable SSH entirely via the device's administration console.

If the device is behind a firewall, consider doing one or more of the following:

Disable inbound connections from outside the network to port 22 of any deployed IoT devices

Disable outbound connections from IoT devices except to the minimal set of ports and IP addresses required for their operation.

About Akamai

As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Resources

We're Social

As the world’s largest and most trusted cloud delivery platform, Akamai makes it easier for its customers to provide the best and most secure digital experiences on any device, anytime, anywhere. Akamai’s massively distributed platform is unparalleled in scale with over 200,000 servers across 130 countries, giving customers superior performance and threat protection. Akamai’s portfolio of web and mobile performance, cloud security, enterprise access, and video delivery solutions are supported by exceptional customer service and 24/7 monitoring.To learn why the top financial institutions, e-commerce leaders, media & entertainment providers, and government organizations trust Akamai please visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter.